No write access to shared system binaries

A.1.2.c Verify that an entity’s users do not have write access toshared system binaries

Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible.

Paths for system binaries

Depending on the distribution used there are several directories which have shared system binaries. Common paths are:

These paths can be scanned for any binary having incorrect permissions. In this particular case we are interested in binaries which can be overwritten by people in the “other” group.

find /bin -perm -o=w ! -type l

This will show any system binaries in /bin where the other group has the write bit set. We skip symlinks, as they are not interesting and give false positives to the test.

Depending on the paths, this has to be repeated for all of them. Any findings from the find command means this binary (or file) can be written to by someone other than the owner. Usually this is a sign of bad system management or a possible intrusion.

This information is provided as an addition to the PCI DSS plugin for Lynis

Linux and UNIX security automation

Lynis is a free and open source security scanner. It helps with testing the defenses of your Linux, macOS, and Unix systems. Typical use-cases for this software include system hardening, vulnerability scanning, and checking compliance with security standards (PCI-DSS, ISO27001, etc).